From 59d1872c9ce9c0db9cd2f1a95ebd3ac89037f10d Mon Sep 17 00:00:00 2001 From: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com> Date: Thu, 16 Feb 2023 15:05:35 -1000 Subject: [PATCH] Ra rhel/djgalvan (#28428) * Provide RHEL developer certificate instructions. * RHEL for certs /8 * RHEL for certs /8 --------- Co-authored-by: David J Galvan Jr --- aspnetcore/security/enforcing-ssl.md | 97 +++++++++++++++++++++++++++- 1 file changed, 94 insertions(+), 3 deletions(-) diff --git a/aspnetcore/security/enforcing-ssl.md b/aspnetcore/security/enforcing-ssl.md index f7fa97fb99..22eb0dd3b9 100644 --- a/aspnetcore/security/enforcing-ssl.md +++ b/aspnetcore/security/enforcing-ssl.md @@ -5,12 +5,12 @@ description: Learn how to require HTTPS/TLS in an ASP.NET Core web app. ms.author: riande monikerRange: '>= aspnetcore-3.0' ms.custom: mvc -ms.date: 01/04/2023 +ms.date: 2/14/2023 uid: security/enforcing-ssl --- # Enforce HTTPS in ASP.NET Core -By [Rick Anderson](https://twitter.com/RickAndMSFT) +By [David Galvan](https://github.com/djgalvan) and [Rick Anderson](https://twitter.com/RickAndMSFT) This document shows how to: @@ -306,6 +306,8 @@ The path in the preceding command is specific for Ubuntu. For other distribution ### Trust HTTPS certificate on Linux using Edge or Chrome +# [Ubuntu](#tab/linux-ubuntu) + For chromium browsers on Linux: * Install the `libnss3-tools` for your distribution. @@ -330,7 +332,7 @@ For chromium browsers on Linux: -### Trust the certificate with Firefox on Linux +#### Trust the certificate with Firefox on Linux * Export the certificate with the following command: @@ -359,6 +361,95 @@ EOF See [Configure trust of HTTPS certificate using Firefox browser](#trust-ff-ba) in this document for an alternative way to configure the policy file using the browser. +# [Red Hat Enterprise Linux](#tab/linux-rhel) + +> [!WARNING] +> The following instructions are intended for development purposes only. Do not use the certificates generated in these instructions for a production environment. + +These instructions use Mozilla's *legacy* tool [certutil](https://firefox-source-docs.mozilla.org/security/nss/legacy/tools/nss_tools_certutil/index.html). Instructions may be updated as modern utilities and practices are discovered. + +> [!CAUTION] +> Improper use of TLS certificates could lead to spoofing. + +> [!TIP] +> Instructions for valid production certificates can be found in the RHEL Documentation. +> [RHEL8 TLS Certificates](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/securing_networks/index#creating-and-managing-tls-keys-and-certificates_securing-networks) +> [RHEL9 TLS Certificates](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html-single/securing_networks/index#creating-and-managing-tls-keys-and-certificates_securing-networks) +> [RHEL9 Certificate System](https://access.redhat.com/documentation/en-us/red_hat_certificate_system/9) + +### Install Dependencies + +```sh +dnf install nss-tools +``` + +### Export The ASP.NET Core Development Certificate: + +> [!IMPORTANT] +> Replace `${ProjectDirectory}` with your projects directory. +> Replace `${CertificateName}` with a name you'll be able to identify in the future. + +```sh +cd ${ProjectDirectory} +dotnet dev-certs https -ep ${ProjectDirectory}/${CertificateName}.crt --format PEM +``` + +> [!CAUTION] +> If using git, add your certificate to your `${ProjectDirectory}/.gitignore` or `${ProjectDirectory}/.git/info/exclude`. +> View the [git documentation](https://git-scm.com/docs/gitignore) for information about these files. + +> [!TIP] +> You can move your exported certificate outside of your Git repository and replace the occurrences of `${ProjectDirectory}`, in the following instructions, with the new location. + +### Import The ASP.NET Core Development Certificate + +> [!IMPORTANT] +> Replace `${UserProfile}` with the profile you intend to use. +> Do not replace `$HOME`, it is the environment variable to your user directory. + +#### Chromium-based Browsers + +```sh +certutil -d sql:$HOME/.pki/nssdb -A -t "P,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt +certutil -d sql:$HOME/.pki/nssdb -A -t "C,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt +``` + +#### Mozilla Firefox + +```sh +certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -A -t "P,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt +certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -A -t "C,," -n ${CertificateName} -i ${ProjectDirectory}/${CertificateName}.crt +``` + +#### Create An Alias To Test With Curl + +> [!IMPORTANT] +> +> Don't delete the exported certificate if you plan to test with curl. +> You'll need to create an alias referencing it in your `$SHELL`'s profile + +```sh +alias curl="curl --cacert ${ProjectDirectory}/${CertificateName}.crt" +``` + +### Cleaning up the Development Certificates + +```sh +certutil -d sql:$HOME/.pki/nssdb -D -n ${CertificateName} +certutil -d sql:$HOME/.mozilla/firefox/${UserProfile}/ -D -n ${CertificateName} +rm ${ProjectDirectory}/${CertificateName}.crt +dotnet dev-certs https --clean +``` + +>[!NOTE] +> Remove the curl alias you created earlier + +# [SUSE Linux Enterprise Server](#tab/linux-sles) + +See [this GitHub issue](https://github.com/dotnet/AspNetCore.Docs/issues/28292) + +--- + ### Trust the certificate with Fedora 34